Splunk Search

Advise a rex for domain\username example windows\mathews

LintuMathews
Explorer

can you please advise a rex for domain\username example windows\mathews

Below is sample of event I am trying to extract

http://windows/corp/it/us\x00\x00admin/forms/allitems.aspx\x00windows\mathews\x00
Tags (1)
0 Karma

somesoni2
Revered Legend

Give this a try

Updated

your base search | rex field=yourfieldname  "windows\\\\(?<UserName>\w+)"

Runanywhere sample search

| gentimes start=-1 | eval temp="http://windows/corp/it/us\x00\x00admin/forms/allitems.aspx\x00windows\mathews\x00" | table temp | rex field=temp "windows\\\\(?<UserName>\w+)"
0 Karma

LintuMathews
Explorer

Didn't work out, the domain name here "windows`mathews`" where "windows" is like a static domain name i have in all the logs meaning I dont have anyother domains except "windows", I just want to grab the username out of it

0 Karma

somesoni2
Revered Legend

try the updated query

0 Karma

Skippy
Explorer

That will work if your usernames only ever contain a-z 0-9 or _

This one will match any character up to a \

your base search | rex field=yourfieldname "windows\\(?.+?)\"

0 Karma

LintuMathews
Explorer

I was hoping something like this would work, this was generated through the erex , but needs some adjustments i guess

rex "(?i)windows\(?P[^\]+)"

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...